Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Spam Communications Security

Darkmail Attacks - The Next Network Threat? 58

An anonymous reader wonders: "SC Magazine are running an article on the growth of so called Dark Mail Attacks. Whitedust Security appear to have identified this as a potential problem way back in December 2004. Since that time, a marked increase in attacks of this nature, including the recent attacks on the UK Government infrastructure, have been recorded. Are these types of attack a new large scale threat or just a passing fad?"
This discussion has been archived. No new comments can be posted.

Darkmail Attacks - The Next Network Threat?

Comments Filter:
  • by telstar ( 236404 ) on Thursday August 04, 2005 @06:14PM (#13245196)
    I feel like I went to sleep and woke up in a Mad Max sequel.
  • Attacks (Score:2, Funny)

    by FidelCatsro ( 861135 )
    Will always be a risk till humanity matures and has some global consciousness (or something of that sort) or if the vulnerability's are kept to a minimum to make the effort not worth pursuing.
    Teach a man to Phish and he will pheed himself for life .
    Close up the vulnerabilities and he he will starphe
  • by TFGeditor ( 737839 ) on Thursday August 04, 2005 @06:49PM (#13245469) Homepage
    FTFA: "Earlier this month SC reported some spammers are turning their back on the spam business. Self-d spam king Scott Richter has now been spam-free for over six months."

    Seems incongruous to declare "spammers are turning their back on the spam business" in an article about a malicious new "brute force" spamming scheme that has grown "400 percent in the last twelve months according to a report from email filtering company Email Systems."

    And and what does the writer of TFA base this notion, anyway? That one spammer (Richter) has been spam-free for six months?

    Where's the beef?
    • And unless I totally misunderstood the article, "darkmail attacks" are nothing more than spam. Granted, in very large quantites, but nothing that businesses with "tempting" domains haven't been experiencing for years.

      It's just that "dictionary attacks" of hundreds of thousands of to: addresses are being used on smaller domains with more frequency.

      Same problem, same methods. Spammers are just casting a bigger net, as their success rates are diminishing due to filtering.
    • Look at the bottom of the article. It's a link to, the so-called anti-spam experts quoted in the so-called article. Basically, this is a PR piece designed to generate exposure for emailsystems. It doesn't have to make sense or be consistent -- as long as their name appears in print, and they can keep making it appear in print, somebody will eventually think, "Gee, these guys must be experts... I think I'll use their products/services."
  • Egress Filtering (Score:3, Interesting)

    by QuantumRiff ( 120817 ) on Thursday August 04, 2005 @06:53PM (#13245498)
    Is it really so hard to setup egress filtering on your networks? Seriously, if people started allowing their email servers, and only their email servers to send email, then we could eliminate zombies. This is a 2 line entry into an access list on your border router. (heck, be a good net neighbor if your at it. If you're a corporation, do you really need port 135 leaving your network?) This would force Spammers to stop using zombified company machines, and home users on broadband to send hundreds of thousands of emails a minute. (not to mention checking your logs quickly tells you wich machines might be infected and need a visit from a tech)

    Honestly, the thing that gets me is that most firewalls block incoming, but allow all outgoing traffic. Why? Do you want the next virus to hit and email out as an attachment your word documents? They might have trade secrets, or your budget numbers, etc. Do they want an inside machine setting up a "hole" in the firewall to a IRC server? once they establish the connection from the inside, most firewalls will then ignore the stream. Force spammers to use real mail servers so that they can be appropriately blocked.

    I have never had someone give me an intelligent reason on why outgoing port 25 should not be blocked. I've heard the argument about people running email on their broadband connections. (I do, and route outgoing through my ISP's SMTP relay server)

    • It's the same reason people only install spybot and AV software after they've been hit. Nobody thinks of locking the barn until after the cows are gone.
    • Seriously, some of us don't go about it the way you do. I provide private email services to friends and family... that involves not having to constantly circumvent the crap others put in our way. Plus, this way, they don't have to worry. I won't sell them out to spammers, pharmers, phishers or ass monkeys at the M$ marketting department. In return they behave, or I can their asses if they send spam. (I also do a far better job of keeping them spam free and keeping their service running... FAST...)

      The m
    • My Client Emails (Score:3, Insightful)

      by TexTex ( 323298 ) *
      Why allow port 25 outgoing? My clients. They come in to my business and want to send their email. Guess what? Their corporate, locked-down laptop is set up to point to only their smtp server. VPNs are around 20-30% of the time, and so they end up needing to connect to their mail servers to send out.

      Having port 25 open on an outgoing connection isn't that big of a deal if you monitor and control it. Virus scan both ways, rate limit max connections, etc.
      • It's the responsibility of your clients to have a VPN set up to access their home network. If the company takes the time to prevent their employees from changing their SMTP settings on their laptops, surely they can take the time to set up VPN access.

        They'd also get the benefit of knowing that you (or other companies they do on-site business with) can't snoop their e-mail.

      • by fingal ( 49160 )

        There is one school of thought which says that permitting open access to your internal network to machines that are not under your control is a potential recipe for disaster and might well compromise all your nice firewalling work that you have done (it's not called a trusted network for nothing)

        The solution to this is to have a DMZ zone which untrusted clients are allowed to connect on which may have outgoing SMTP enabled, and keep your trusted network as exactly that. No more spam bots, no more email-l

      • There are 2 cases:

        1) They are sending a complete message, which just needs to be routed. This could be sent through your smtp server (port 25) just as easily as through their company server.

        2) They are actually doing a mail submission, so that the mail will be "From" This should be on port 587 using secure authentication.

        So no reason not to block port 25.
    • IMHO, I don't think this is the best way to eliminate zombies.
      I think that the best thing to do would be to call a cleric to turn all the zombies in your company.
      This would force the evil cleric spammers to stop rebuking your zombies...

      Although I like your idea of checking the logs, this would tell which machines need a visit from a tech (hmmm... cleric)

    • I have never had someone give me an intelligent reason on why outgoing port 25 should not be blocked. I've heard the argument about people running email on their broadband connections. (I do, and route outgoing through my ISP's SMTP relay server)

      I run an SMTP server and resent your saying it should be filtered by my ISP. I don't send spam and don't want someone intervening in my email. Get the distributors of bad email not the innocents.
  • No surprise (Score:3, Interesting)

    by metamatic ( 202216 ) on Thursday August 04, 2005 @07:07PM (#13245601) Homepage Journal
    I wrote a series of articles in which I mentioned this problem, caused by many approaches to spam filtering. smal.html []

    Basically, spam is an economic problem. Attempts at a technological solution usually involve filtering spam. Since a filter can never be 100% accurate, as filters are deployed the volume of spam increases. So basically, filters "work" as long as most people aren't using them; once they become widespread, the spam volume goes up and up until the network collapses under the bandwidth load (or we try a different approach).

    As I conclude in my article, attempting to analyze logically from first principles, the only type of solution which will work is an economic one. Unfortunately, most people dismiss economic solutions out of hand. They're too attached to the fundamentally broken economic model of today's e-mail.

    Ironically, the same people often express surprise that the RIAA can't see how broken their economic model is...
    • Re:No surprise (Score:2, Insightful)

      by Trepalium ( 109107 )
      The idea of making people pay for their e-mail comes up frequently, but those who propose it rarely mention the problems with it.

      First, it doesn't really solve the zombie spambot problems. Spammers don't seem to care if they break the law or not, provided they don't get caught. A large amount of spam already comes from zombie PCs, and your proposal wouldn't change that. The only thing that would change is some poor slob would end up with a $500 internet bill every now and then. Since it's unlikely the

      • For #1, I have a couple of possible solutions I intend to write about.

        For #2, the same argument could be made as to the impossibility of credit card payments. Somehow, we found a way.

        "Trusted" computing doesn't solve anything, because there's no way you'll ever get it to be ubiquitous and mandatory. I'd go back to setting up a UUCP network with my friends before I'd agree to Trusted Computing as a condition of TCP/IP e-mail access.
    • What stops spammers from shifting their strategies to match your economic model? Any economic change requires a payment from someone to someone. If the payment is to email recipients, spammers will become recipients. If it is to ISPs, spammers will become ISPs. Forcing pay-for-email schemes on the internet creates opportunities for abuse, it doesn't solve anything.
      • If spammers become e-mail recipients, so what? They've stopped spamming. If they think they can make money joining mailing lists, they're welcome to go ahead and try.

        As for spammers becoming ISPs--that has already happened. But no, my article explains why the payment has to go to the end user, not the ISP. (Though one option would be for the ISP to take a cut.)
        • Spammers are criminals who make money by hijacking PCs and selling advertising services. You want to eliminate the need to sell advertising services and pay them directly. They will now start hijacking PCs to send themselves mail, sticking the former PC owners with the bill. Very good for the spammers, very bad for everyone else.

          And please don't say there will be a foolproof authentication scheme. If there were such a thing, we could just use it for free mail and skip the payments, right?
    • There is nothing, nothing as lame as quoting yourself.
  • Not really new. (Score:1, Informative)

    by Anonymous Coward
    This so-called darkmail isn't really new, it's merely a derivative of the age-old mailbomb. Certainly it can easily be defended against by using anti-mailbomb techniques like rate limiting and address limits. Too bad for you if you use Exchange but, the likels of Postfix or GroupWise make this idiot proof. The "problem" can further be mitigated by using RBLs at the SMTP level, before message transfer. That means, connect, check RBL, tell spammer 5.5.4 Piss Off, disconnect.

    Even if your spam filtering has ach
  • Thanks to this kind of mail, I'm getting on average about 300M (megabytes, you've read it right) of mail traffic a day. On a box with one active user.

    Especially hilarious are mails from admin@mydomain telling me that my account has just been suspended..

    • Are you blocking on SMTP connection or with procmail after the email has been received?

      You should be able to save a lot of bandwidth that way.

      Having said that, I use dozens of different email addresses on my domain (generally one per sign-up &c.) so this doesn't work so well for me...
      • There's a caveat: I'm on a UUCP feed. Nothing can be done until after the message is received - by which time it's too late.
  • by Nonesuch ( 90847 ) * on Thursday August 04, 2005 @08:29PM (#13246082) Homepage Journal
    The latest version of pf, spamd [], and spamdb offered with OpenBSD 3.7 work well to address the problem of high-volume dictionary attacks, through a combination of bandwidth shaping, tarpitting, greylisting, and spamtrap addresses.

    Basically, you configure spamdb to greylist [] unknown senders, and provide it with a huge list of "spamtrap" addresses, which are invalid email addresses not actually used in your domain.

    Any source which tries to email to a spamtrap address is temporarily blacklisted, just like how SpamCop's SCBL reacts to a message to a spamtrap.

    Recent enhancements to 'pf' [] provide for rate-limiting connections based on the source IP, in addition to the regular bandwidth shaping features. With minimal effort you can configure an OpenBSD mail gateway or router to ensure that you waste as much of the spammers time as possible, while expending the least amount of your own effort and bandwidth.

    • Suppose I setup a spamtrap of "george" because no one here uses that address.

      But a legitimate contact makes a mistake typing the address and does send it to "george".

      I would rather that it count the number of bad address attempts and blacklist the sender after X failures (5 for example).

      But the failures would have to be counted as unique and across multiple connections. So resending to "george" 5 times won't lock them out. But making 5 connections with a single attempt to Al, then Bill, then Curtis, then Da
    • The hosting provider I use for the vast majority of my clients and my personal site just added a greylist/graytrap system into place, and it works amazingly well so far.

      Three months and a total of 15 *total* spam messages have made it to my mail over that time period, which Spamassasin flagged and then Apple Mail's filtering dealt with accordingly. This is as opposed to about 750 per day on my two main accounts previously.

      The beauty of greylists is that false positives are virtually unheardof (I support abo
  • From the article:

    Darkmail is primarily used in distributed denial of service (DDoS) attacks and directory harvest attacks (DHA) in which a specific domain is hit with a flood of emails through an alphabetical list of names.

    But over the last year darkmail is being used to brute-force spam through filters and is clogging up bandwidth.

    Basically, it seems that darkmail is bulk mail sent to a domain with the advance knowledge that much of it will not reach a destination.

  • It can't be a fad. Geeks don't get fads.
  • This has been going on for YEARS. I have one domain name with 5 real users on it and I am getting blasted constantly with unknowns. Not 10 million but more like 25k a day.

    There are ways around it.

    1. If you're using SpamAssassin monitor what email addresses are getting hit as unknowns. If one gets say more than 20 hits add it to the blacklist to. That way if a real address gets the message and has one of those cc'd it will get tagged. I figured if they send to a common unknown it's probably safe to black
  • From TFA, end of the fourth paragraph:

    ...has been developed with the soul purpose of preventing junk mail arriving in users inbox's.

    This clearly identifies the problem with most spam filters: they ain't got no soul.

Karl's version of Parkinson's Law: Work expands to exceed the time alloted it.